OCPBUGS-34129: Update Minimal permissions for GCP installs

barbacbd · barbacbd · commit 07d7cd519873 · 2024-07-17T15:11:42.000-04:00
** Due to the addition of CAPG resources, the installer destroy code requires additional minimal permissions. Even
though the minimal install does not use CAPG, the search for resources remains the same no matter the type of install.

** NOTE: This does not include the ability to delete these new resources as that is not part of the minimal install and destroy, these
additional permissions allow the user to list those resources.

** Adding minimum permissions for installations with cluster api gcp provider.
diff --git a/modules/minimum-required-permissions-ipi-gcp.adoc b/modules/minimum-required-permissions-ipi-gcp.adoc
@@ -28,10 +28,16 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.forwardingRules.get`
 * `compute.forwardingRules.list`
 * `compute.forwardingRules.setLabels`
+* `compute.globalAddresses.create`
+* `compute.globalAddresses.get`
+* `compute.globalAddresses.use`
+* `compute.globalForwardingRules.create`
+* `compute.globalForwardingRules.get`
 * `compute.networks.create`
 * `compute.networks.get`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
+* `compute.networks.use`
 * `compute.routers.create`
 * `compute.routers.get`
 * `compute.routers.list`
@@ -47,6 +53,11 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for creating load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.create`
+* `compute.backendServices.get`
+* `compute.backendServices.list`
+* `compute.backendServices.update`
+* `compute.backendServices.use`
 * `compute.regionBackendServices.create`
 * `compute.regionBackendServices.get`
 * `compute.regionBackendServices.list`
@@ -58,6 +69,9 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.targetPools.list`
 * `compute.targetPools.removeInstance`
 * `compute.targetPools.use`
+* `compute.targetTcpProxies.create`
+* `compute.targetTcpProxies.get`
+* `compute.targetTcpProxies.use`
 ====
 
 .Required permissions for creating DNS resources
@@ -140,13 +154,17 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.httpHealthChecks.get`
 * `compute.httpHealthChecks.list`
 * `compute.httpHealthChecks.useReadOnly`
+* `compute.regionHealthChecks.create`
+* `compute.regionHealthChecks.get`
+* `compute.regionHealthChecks.useReadOnly`
 ====
 
 .Required permissions to get GCP zone and region related information
 [%collapsible]
 ====
 * `compute.globalOperations.get`
 * `compute.regionOperations.get`
+* `compute.regions.get`
 * `compute.regions.list`
 * `compute.zoneOperations.get`
 * `compute.zones.get`
@@ -185,10 +203,15 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.addresses.delete`
 * `compute.addresses.deleteInternal`
 * `compute.addresses.list`
+* `compute.addresses.setLabels`
 * `compute.firewalls.delete`
 * `compute.firewalls.list`
 * `compute.forwardingRules.delete`
 * `compute.forwardingRules.list`
+* `compute.globalAddresses.delete`
+* `compute.globalAddresses.list`
+* `compute.globalForwardingRules.delete`
+* `compute.globalForwardingRules.list`
 * `compute.networks.delete`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
@@ -202,10 +225,14 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for deleting load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.delete`
+* `compute.backendServices.list`
 * `compute.regionBackendServices.delete`
 * `compute.regionBackendServices.list`
 * `compute.targetPools.delete`
 * `compute.targetPools.list`
+* `compute.targetTcpProxies.delete`
+* `compute.targetTcpProxies.list`
 ====
 
 .Required permissions for deleting DNS resources
@@ -259,6 +286,8 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.healthChecks.list`
 * `compute.httpHealthChecks.delete`
 * `compute.httpHealthChecks.list`
+* `compute.regionHealthChecks.delete`
+* `compute.regionHealthChecks.list`
 ====
 
 .Required Images permissions for deletion
diff --git a/modules/minimum-required-permissions-upi-gcp.adoc b/modules/minimum-required-permissions-upi-gcp.adoc
@@ -29,10 +29,17 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.forwardingRules.get`
 * `compute.forwardingRules.list`
 * `compute.forwardingRules.setLabels`
+* `compute.globalAddresses.create`
+* `compute.globalAddresses.get`
+* `compute.globalAddresses.setLabels`
+* `compute.globalAddresses.use`
+* `compute.globalForwardingRules.create`
+* `compute.globalForwardingRules.get`
 * `compute.networks.create`
 * `compute.networks.get`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
+* `compute.networks.use`
 * `compute.routers.create`
 * `compute.routers.get`
 * `compute.routers.list`
@@ -48,6 +55,11 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for creating load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.create`
+* `compute.backendServices.get`
+* `compute.backendServices.list`
+* `compute.backendServices.update`
+* `compute.backendServices.use`
 * `compute.regionBackendServices.create`
 * `compute.regionBackendServices.get`
 * `compute.regionBackendServices.list`
@@ -59,6 +71,9 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.targetPools.list`
 * `compute.targetPools.removeInstance`
 * `compute.targetPools.use`
+* `compute.targetTcpProxies.create`
+* `compute.targetTcpProxies.get`
+* `compute.targetTcpProxies.use`
 ====
 
 .Required permissions for creating DNS resources
@@ -141,13 +156,18 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.httpHealthChecks.get`
 * `compute.httpHealthChecks.list`
 * `compute.httpHealthChecks.useReadOnly`
+* `compute.regionHealthCheckServices.list`
+* `compute.regionHealthChecks.create`
+* `compute.regionHealthChecks.get`
+* `compute.regionHealthChecks.useReadOnly`
 ====
 
 .Required permissions to get GCP zone and region related information
 [%collapsible]
 ====
 * `compute.globalOperations.get`
 * `compute.regionOperations.get`
+* `compute.regions.get`
 * `compute.regions.list`
 * `compute.zoneOperations.get`
 * `compute.zones.get`
@@ -189,10 +209,15 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.addresses.delete`
 * `compute.addresses.deleteInternal`
 * `compute.addresses.list`
+* `compute.addresses.setLabels`
 * `compute.firewalls.delete`
 * `compute.firewalls.list`
 * `compute.forwardingRules.delete`
 * `compute.forwardingRules.list`
+* `compute.globalAddresses.delete`
+* `compute.globalAddresses.list`
+* `compute.globalForwardingRules.delete`
+* `compute.globalForwardingRules.list`
 * `compute.networks.delete`
 * `compute.networks.list`
 * `compute.networks.updatePolicy`
@@ -206,10 +231,14 @@ If your organization’s security policies require a more restrictive set of per
 .Required permissions for deleting load balancer resources
 [%collapsible]
 ====
+* `compute.backendServices.delete`
+* `compute.backendServices.list`
 * `compute.regionBackendServices.delete`
 * `compute.regionBackendServices.list`
 * `compute.targetPools.delete`
 * `compute.targetPools.list`
+* `compute.targetTcpProxies.delete`
+* `compute.targetTcpProxies.list`
 ====
 
 .Required permissions for deleting DNS resources
@@ -263,6 +292,8 @@ If your organization’s security policies require a more restrictive set of per
 * `compute.healthChecks.list`
 * `compute.httpHealthChecks.delete`
 * `compute.httpHealthChecks.list`
+* `compute.regionHealthChecks.delete`
+* `compute.regionHealthChecks.list`
 ====
 
 .Required Images permissions for deletion
